@@ -92,21 +92,11 @@ private static void ajaxRequest(final SimpleRPCRunnable runnable) {
9292 if (checkXSS (url , serialize , runnable )) {
9393 return ;
9494 }
95- if ("get" .equals (method .toLowerCase ())) {
96- try {
97- String query = URLEncoder .encode (serialize , "UTF-8" );
98- if (url .indexOf ('?' ) != -1 ) {
99- /* should not come to this branch! */
100- url += "&jzz=" + query ;
101- } else {
102- url += "?" + query ;
103- }
104- serialize = null ;
105- } catch (UnsupportedEncodingException e ) {
106- // should never throws such exception!
107- //e.printStackTrace();
108- }
95+ String url2 = adjustRequestURL (method , url , serialize );
96+ if (url2 != url ) {
97+ serialize = null ;
10998 }
99+
110100 final HttpRequest request = new HttpRequest ();
111101 request .open (method , url , true );
112102 request .registerOnReadyStateChange (new XHRCallbackAdapter () {
@@ -123,17 +113,29 @@ public void onLoaded() {
123113 request .send (serialize );
124114 }
125115
116+ protected static String adjustRequestURL (String method , String url , String serialize ) {
117+ if ("GET" .equals (method .toUpperCase ())) {
118+ try {
119+ String query = URLEncoder .encode (serialize , "UTF-8" );
120+ if (url .indexOf ('?' ) != -1 ) {
121+ /* should not come to this branch! */
122+ url += "&jzz=" + query ;
123+ } else {
124+ url += "?" + query ;
125+ }
126+ } catch (UnsupportedEncodingException e ) {
127+ // should never throws such exception!
128+ //e.printStackTrace();
129+ }
130+ }
131+ return url ;
132+ }
133+
126134 /**
127- * Check cross site script. Only make senses for JavaScript.
128- *
135+ * Check that whether it is in cross site script mode or not.
129136 * @param url
130- * @param serialize
131- * @param runnable
132137 * @return
133- */
134- protected static boolean checkXSS (String url , String serialize , SimpleRPCRunnable runnable ) {
135- /**
136- * @j2sNative
138+ * @j2sNative
137139if (url != null && (url.indexOf ("http://") == 0
138140 || url.indexOf ("https://") == 0)) {
139141 var host = null;
@@ -143,61 +145,79 @@ protected static boolean checkXSS(String url, String serialize, SimpleRPCRunnabl
143145 } else {
144146 host = url.substring (url.indexOf ("//") + 2);
145147 }
146- if (window.location.host != host || window.location.protocol == "file:") {
147- var g = net.sf.j2s.ajax.SimpleRPCRequest;
148- if (g.idSet == null) {
149- g.idSet = new Object ();
150- }
151- var rnd = null;
152- while (true) {
153- var rnd = Math.random () + "0000000.*";
154- rnd = rnd.substring (2, 8);
155- if (g.idSet["o" + rnd] == null) {
156- g.idSet["o" + rnd] = runnable;
157- break;
158- }
159- }
160- var limit = 7168; //8192;
161- if (window["script.get.url.limit"] != null) {
162- limit = window["script.get.url.limit"];
163- }
164- var ua = navigator.userAgent.toLowerCase ();
165- if (ua.indexOf ("msie")!=-1 && ua.indexOf ("opera") == -1){
166- limit = 2048;
167- limit = 2048 - 44; // ;jsessionid=
148+ return (window.location.host != host || window.location.protocol == "file:");
149+ }
150+ return false; // ftp ...
151+ */
152+ protected static boolean isXSSMode (String url ) {
153+ return false ;
154+ }
155+
156+ /**
157+ * Check cross site script. Only make senses for JavaScript.
158+ *
159+ * @param url
160+ * @param serialize
161+ * @param runnable
162+ * @return
163+ */
164+ protected static boolean checkXSS (String url , String serialize , SimpleRPCRunnable runnable ) {
165+ /**
166+ * @j2sNative
167+ if (net.sf.j2s.ajax.SimpleRPCRequest.isXSSMode (url)) {
168+ var g = net.sf.j2s.ajax.SimpleRPCRequest;
169+ if (g.idSet == null) {
170+ g.idSet = new Object ();
171+ }
172+ var rnd = null;
173+ while (true) {
174+ var rnd = Math.random () + "0000000.*";
175+ rnd = rnd.substring (2, 8);
176+ if (g.idSet["o" + rnd] == null) {
177+ g.idSet["o" + rnd] = runnable;
178+ break;
168179 }
169- limit -= url.length + 36; // 5 + 6 + 5 + 2 + 5 + 2 + 5;
170- var contents = [];
171- var content = encodeURIComponent(serialize);
172- if (content.length > limit) {
173- parts = Math.ceil (content.length / limit);
174- var lastEnd = 0;
175- for (var i = 0; i < parts; i++) {
176- var end = (i + 1) * limit;
177- if (end > content.length) {
178- end = content.length;
179- } else {
180- for (var j = 0; j < 3; j++) {
181- var ch = content.charAt (end - j);
182- if (ch == '%') {
183- end -= j;
184- break;
185- }
180+ }
181+ var limit = 7168; //8192;
182+ if (window["script.get.url.limit"] != null) {
183+ limit = window["script.get.url.limit"];
184+ }
185+ var ua = navigator.userAgent.toLowerCase ();
186+ if (ua.indexOf ("msie")!=-1 && ua.indexOf ("opera") == -1){
187+ limit = 2048;
188+ limit = 2048 - 44; // ;jsessionid=
189+ }
190+ limit -= url.length + 36; // 5 + 6 + 5 + 2 + 5 + 2 + 5;
191+ var contents = [];
192+ var content = encodeURIComponent(serialize);
193+ if (content.length > limit) {
194+ parts = Math.ceil (content.length / limit);
195+ var lastEnd = 0;
196+ for (var i = 0; i < parts; i++) {
197+ var end = (i + 1) * limit;
198+ if (end > content.length) {
199+ end = content.length;
200+ } else {
201+ for (var j = 0; j < 3; j++) {
202+ var ch = content.charAt (end - j);
203+ if (ch == '%') {
204+ end -= j;
205+ break;
186206 }
187207 }
188- contents[i] = content.substring (lastEnd, end);
189- lastEnd = end;
190208 }
191- } else {
192- contents[0] = content;
209+ contents[i] = content.substring (lastEnd, end);
210+ lastEnd = end;
193211 }
194- g.idSet["x" + rnd] = contents;
195- // Only send the first request, later server return "continue", and client will get
196- // the session id and continue later requests.
197- net.sf.j2s.ajax.SimpleRPCRequest.callByScript(rnd, contents.length, 0, contents[0]);
198- contents[0] = null;
199- return true; // cross site script!
212+ } else {
213+ contents[0] = content;
200214 }
215+ g.idSet["x" + rnd] = contents;
216+ // Only send the first request, later server return "continue", and client will get
217+ // the session id and continue later requests.
218+ net.sf.j2s.ajax.SimpleRPCRequest.callByScript(rnd, contents.length, 0, contents[0]);
219+ contents[0] = null;
220+ return true; // cross site script!
201221}
202222 */ { }
203223 return false ;
@@ -284,23 +304,23 @@ static void xssNotify(String nameID, String response, String session) {
284304 if (response == "continue" ) {
285305 /**
286306 * @j2sNative
287- * var g = net.sf.j2s.ajax.SimpleRPCRequest;
288- * if (session != null){
289- * g.idSet["s" + nameID] = session;
290- * }
291- * var xcontent = g.idSet["x" + nameID];
292- * if (xcontent != null) {
293- * //The following codes may be modified to send out requests one by one.
294- * if (xcontent != null) {
295- * for (var i = 0; i < xcontent.length; i++) {
296- * if (xcontent[i] != null) {
297- * g.callByScript(nameID, xcontent.length, i, xcontent[i]);
298- * xcontent[i] = null;
299- * }
300- * }
301- * g.idSet["x" + nameID] = null;
302- * }
303- * }
307+ var g = net.sf.j2s.ajax.SimpleRPCRequest;
308+ if (session != null){
309+ g.idSet["s" + nameID] = session;
310+ }
311+ var xcontent = g.idSet["x" + nameID];
312+ if (xcontent != null) {
313+ //The following codes may be modified to send out requests one by one.
314+ if (xcontent != null) {
315+ for (var i = 0; i < xcontent.length; i++) {
316+ if (xcontent[i] != null) {
317+ g.callByScript(nameID, xcontent.length, i, xcontent[i]);
318+ xcontent[i] = null;
319+ }
320+ }
321+ g.idSet["x" + nameID] = null;
322+ }
323+ }
304324 */ {}
305325 return ;
306326 }
0 commit comments